SCALABLE PROTECTION ON-DEMAND FOR ELASTIC
SERVICE MODELS
Fortinet VM On-Demand Program for Service Providers
INTRODUCTION
Communications service providers, cloud
providers, and MSSP’s are being driven by
a number of enterprise data center trends,
including the shift from capex to opex
models as driven by IaaS/PaaS/SaaS and
the need to deliver that infrastructure with
more agility and elasticity to help accelerate
business initiatives. Service providers in
turn are looking
to infrastructure
suppliers, including
firewall and security
vendors, to help
reduce capital risks
and better align IT
costs with recurring
and on-demand
service revenues.
The FortiOS virtualized security appliance
and the Fortinet VM On-Demand program
enable service providers to deliver awardwinning Fortinet firewall and other protection
in an on-demand, pay-as-you-grow model
that is better aligned with the agility and
elasticity in modern cloud and managed
service offerings. Members of Fortinet’s
MSSP Partner program, as well as other
qualified service providers globally, can
deploy scalable virtual firewalling and
advanced security services on an asneeded, per-tenant basis, with actual costs
automatically and transparently measured
based on actual usage.
PAY-AS-YOU-GROW PLATFORM
The VM On-Demand Program is a
turnkey platform for transparent licensing,
provisioning, metering, and billing of ondemand security VM’s within the provider
environment. A pay-as-you-grow pricing
model enables providers to offer protection
when and where customers and tenants
need it, but pay only for actual customer
usage as the platform is consumed.
Providers can flexibly spin up firewall VM
instances on a
per-tenant basis as needed. Elastic resource
tiers support varying capacity needs, while
FortiGuard threat tiers range from firewallonly to full unified-threat protection.
KEY FEATURES AND
BENEFITS
nnTurnkey,
out-of-the-box platform
for pay-as-you-grow firewall
consumption
nnSeamless
on-demand VM
licensing, provisioning,
metering, billing
nnUnlimited
firewall capacity available
as needed for elastic clouds and
workloads
nnInfrastructure
costs aligned with
tenant/customer service revenues
on a per-period basis, e.g.,
ON-DEMAND SECURITY USE
CASES
Public IaaS Clouds
Many telco’s and service providers are
rolling out Infrastructure-as-a-Service (IaaS)
offerings as enterprises look to migrate
virtual server workloads from internal data
centers to provider-hosted public clouds.
Enterprises are often looking for both
cost-effective opex infrastructure as well
as elastic server capacity to accelerate
business initiatives, and increasingly expect
to be able to procure firewall and advanced
security services on-demand to elastically
protect their user data and privacy.
monthly
nnAvoidance
of excess capitalization
from over-provisioned capacity
Network Function Virtualization (NFV)
The Network Function Virtualization (NFV)
movement in the service provider industry
takes advantage of SDN and network
virtualization principles to replace monolithic
physical network and security devices
with virtual network functions (VNF’s)
encapsulated as VM’s, i.e., virtualized
firewalls and other appliances that can be
deployed on more commoditized hardware.
SOLUTION BRIEF
SOLUTION BRIEF: SCALABLE PROTECTION ON-DEMAND FOR ELASTIC SERVICE MODELS
This interoperable, standards-based
approach to service insertion and servicechaining provides an efficient, modular,
scale-out approach to service delivery. NFV
Management and Orchestration (MANO)
enables automated instantiation of security
VNF’s into the service chain, and is wellcomplemented by opex and pay-as-yougrow firewall VNF licensing that can scale
capacity with customer needs.
firewall customers to easily add IPS, web
filtering, or antimalware quickly in response
to heightened hacker or advanced threat
activity.
SOLUTION COMPONENTS
There are three product and technology
components to the VM On-Demand
Program:
FortiOS VM
Firewall and advanced security
Virtual CPE (vCPE)
virtual appliance running same
Virtual CPE (Customer
FortiOS firmware and security
Premises Equipment)
engines found in awardreplaces providerwinning FortiGate appliaces,
managed broadband
with transparent licensing
devices such as access
mechanism.
routers and firewalls
that traditionally sat at
FortiManager Centralized authorization,
the network edge on
management, and usage
customer (subscriber)
metering for provisioned FortiOS
premises, with
virtual appliances at the provider
virtualized network
premises.
functions (VNF’s) based
FortiCare
SaaS-based metering account
on NFV principles.
is created within FortiCare cloud
Virtual routing,
portal to aggregate and report
switching, firewalling,
FortiManager and FortiOS virtual
and other edge services
appliance metrics continually.
can be relocated back
Prepaid billing enables payment
to the provider data
only as usage is consumed.
center in large, pooled
server hosts, or can
remain on customer premises but within a
VOLUME-BASED USAGE
low-cost CPE host – the latter approach
METERING
sometimes more specifically as universal
The VM On-Demand program meters usage
CPE (uCPE).
based on customer traffic volumes (e.g.,
With a vCPE/uCPE model, accessper gigabyte of network traffic inspected),
based providers can reduce costs when
rather than on the throughput capacity
provisioning managed services without
of the security appliances deployed,
requiring truck rolls to deliver/maintain/
enabling costs to be aligned with only
upgrade proprietary hardware devices,
what customers actually use. This provides
while additionally increasing cross-sell/
efficiencies in numerous ways compared
upsell revenue opportunity from valueto hardware or virtual appliance perpetual
added services. On-demand advanced
licensing.
security for example, could enable existing
GLOBAL HEADQUARTERS
Fortinet Inc.
899 Kifer Road
Sunnyvale, CA 94086
United States
Tel: +1.408.235.7700
www.fortinet.com/sales
EMEA SALES OFFICE
905 rue Albert Einstein
06560 Valbonne
France
Tel: +33.4.8987.0500
First, providers traditionally needed to
budget firewall capacity upfront to meet
expected capacity over the multi-year
lifecycle of an appliance or chassis
hardware solution based on expectation
of customer/subscriber growth. In addition
to fully capitalizing the hardware expense
upfront, this also meant that hardware was
significantly under-utilized initially. With a
usage-based metering model, providers
don’t need to pay years ahead for capacity
for anticipated customer growth.
Second, providers often must size firewall
appliance capacity to handle peak loads,
which means that often 80 - 90 percent of
that appliance capacity is sitting idle during
normal periods. With a volume-based
model, there is no penalty to oversize VM
capacity to handle infrequent peak traffic, as
usage is charged only by actual volume.
Third, other scenarios like high availability
are more attractive because a standby
firewall instance in an active/standby
configuration provides business continuity
without incurring any added volume-based
metering costs.
SUMMARY
Service providers are under increasing
pressure to deliver cloud and managed
services in a more agile manner, and need
to be able to supply infrastructure and
security capacity elastically while minimizing
capital risks from overcapacity. FortiOS
virtual security appliances and the Fortinet
VM On-Demand program provide a unique
turnkey solution for providing on-demand,
pay-as-you-grow firewall capacity while
aligning security infrastructure costs with
actual customer cloud and managed service
revenues.
APAC SALES OFFICE
300 Beach Road 20-01
The Concourse
Singapore 199555
Tel: +65.6513.3730
LATIN AMERICA HEADQUARTERS
Sawgrass Lakes Center
13450 W. Sunrise Blvd., Suite 430
Sunrise, FL 33323
Tel: +1.954.368.9990
Copyright © 2016 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law
trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other
results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied,
except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in
such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal
lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this
publication without notice, and the most current version of the publication shall be applicable.
December, 2016